How to Show Asterisks While Typing Sudo Password in Linux

Most applications normally display a feedback using asterisks (*******) when a user is typing a password, but on the Linux terminal, when a normal user runs the sudo command to gain super user privileges, he/she is asked for a password, but no visual feedback is seen by the user while typing the password.

In this article, we will show how to display asterisks as feedback when you type passwords in the terminal in Linux.

Take a look at the following screen shot, here the user tecmint has invoked the sudo command to install the vim text editor in CentOS 7, but there is no visual feedback as the password is typed (in this case the password has already been entered):

$ sudo yum install vim

No Sudo Password Shown

You can enable the password feedback feature in /etc/sudoers file, but first create a backup of the file, then open it for editing using the visudo command.

$ sudo cp /etc/sudoers /etc/sudoers.bak
$ sudo visudo

Search for the following line.

Defaults env_reset

And append pwfeedback to it, so that it looks like this.

Defaults env_reset,pwfeedback

Configure Sudoers File

Now press Esc key and type :wq to save and close the file. But if you are using nano editor, save the file by hitting “Ctrl+x” and then “y” followed by “ENTER” to close it.

Then run the command below to reset your terminal for the above changes to start working.

$ reset

That’s it, now you should be able to see a visual feedback (****) every time when you typing a password on the terminal, as shown in the following screen shot.

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

Many places (large places) have very tight control on the sudoers, and rightly so.
Modifying it for your personal gain is not allowed.

Also if you have 700+ systems each with their own sudoers setup, you don’t want to be changing it. I distribute my home and it then works on all the systems.

My technique using the SUDO_ASKPASS hook (with sudo -A option) does not require changes to the system level configuration, it works at a personal level! I also do things to allow me to setup some environment root shell via sudo (for things like X windows).

You will have to modify sudo configuration as shown, to the best of our knowledge. Once we find a way to “get sudo to display stars for password entry WITHOUT modifying the sudo configuration”, we will let you know. Thanks for the feedback.

Also, Aaron’s comments regarding the potential security risk are spot on. Not everyone believes there’s a cache of password thieves lurking over their shoulders. Virtually every cell phone app and webpage has key-for-key asterisks as feedback when typing your password. This just adds uniformity to the shell. Besides. it’s Linux – you can configure your Linux any way you like,

It might be a good idea for you to mention WHY sudo doesn’t do this. Showing asterisks is a security risk, it allows someone (over the shoulder, or screenshot, etc) to know the number of characters you entered, which allows you to reduce the number of brute force attempts.

I suppose you are sharing the same concern as @RTR, in case you are operating computers in security critical environments then you can leave this feature turned off, especially where there are strict security policies in place against such practices. But i believe it is useful on personal computers or home work stations.

Yes there are reasons for not showing asterisks. And there are also ways to still get keypress feedback without showing how may characters you typed. It all depends on how you set up your “askpass” program.

* Output a random number of stars with each character input.
But you may need to keep track of the number for ‘deletes‘.

* Show a ascii-art animation (a random muber of steps) for each key…+ Cycle a spinning line, \ | / - or pulsing star . + * + .
+ or a short bar with a star bounce back and forth
This does not need to keep track for deletions as you just continue the
animation when you get a delete or reset line signal.

* Allow the use to turn on no-echo by pressing delete at the start
“systemd-ask-password” actually does this, printing “(no echo)”.

What for? To make sure that nobody is going to be able to look over your shoulder and lift your password? There are far simpler ways of thwarting this particular attack vector. This is an idea that looked virtuous originally, that was never that great, that probably creates more issues than it solves, and that should be ditched, once and for all.

Good concern, but i believe as long as the password is not seen, there should really be some kind of visual feedback for a user to know the length of a password they have typed, particularly for long passwords.

However, if you are working in security critical environments then you can disable this feature, especially where there are strict security policies in place against such practices.